Enterprise Resilience:

Managing Risk in the Networked Economy

by Randy Starr, Jim Newfrock, and Michael Delurey
from strategy+business issue30, spring 2003
strategy+business
strategy+business magazine
is published by Booz Allen Hamilton Inc.
To subscribe, visit www.strategy-business.com
or call 1-877-829-9108
s
t
r
a
t
e
g
y
+
b
u
s
i
n
e
s
s
i
s
s
u
e
3
0
Two companies; same crisis; vastly different
responses and outcomes.
A Nordic telecommunications company and its pri-
mary competitor, another European telecom manufac-
turer, both depended on the same Koninklijke Philips
Electronics NV semiconductor plant in New Mexico for
chips to power their mobile phones. But when a fire
broke out at the factory in March 2000, the supply
chain was disrupted.
The Nordic companys officials noticed the prob-
lem even before being told that a plant had gone down.
Its chief supply troubleshooter immediately put togeth-
er a team of 30 supply chain experts to fan out across
Europe, Asia, and the U.S. to patch together a solution.
They redesigned chips, accelerated a project to boost
production, and used the companys clout to obtain
more chips from other suppliers. The other company,
with fewer fail-safe and troubleshooting systems built
into its supply network, came up millions of chips short
of the supply needed to launch a critical new product.
The result, according to the Wall Street Journal: The
Nordic companys market share grew by 3 percent; the
competitors dropped by the same amount. Before long,
the other company withdrew from the handset market.
This stark tale of gain and loss underscores a new
operating reality confronting companies everywhere:
Drivers of earnings, definitions of risk, underlying risk
interdependencies, and ways to manage them have
changed. Firms generally have thought of risk as the
downside hazard to their financial portfolios and have
I
l
l
u
s
t
r
a
t
i
o
n

b
y

D
a
v
i
d

P
l
u
n
k
e
r
t
Understanding interdependencies
and planning for discontinuities is
the path to corporate agility.
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
1
by Randy Starr, Jim Newfrock, and Michael Delurey
Enterprise Resilience::
Managing Risk in the
Networked Economy
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
71
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
3
s
t
r
a
t
e
g
y
+
b
u
s
i
n
e
s
s
i
s
s
u
e
3
0
concentrated their risk management efforts on hedging
their portfolios against loss. But the Nordic companys
success in weathering a potentially debilitating disrup-
tion to its supply chain, and ultimately gaining compet-
itive advantage from its efforts, shows that companies
can profit by adopting a broader understanding of and
more comprehensive processes for managing risk across
the extended enterprise in an increasingly complex glob-
al economy. In doing so, they establish greater enterprise
resilience (ER).
In this article, we detail the differences between
conventional enterprise risk management and enterprise
resilience, and explain why a keen understanding of the
distinction is essential today, when the boundaries of
every major corporation have expanded, increasing a
companys vulnerabilities and its potential for competi-
tive advantage. We also identify how senior executives
can assess their organizations resilience profile and risk
management approach. And we explain how corporate
managers can align risk mitigation strategies with the
most significant earnings-driver risks, and close danger-
ous gaps in their companys resilience profile.
The Adaptation Imperative
Enterprise resilience is the ability and capacity to with-
stand systemic discontinuities and adapt to new risk
environments. A resilient organization effectively aligns
its strategy, operations, management systems, gover-
nance structure, and decision-support capabilities so
that it can uncover and adjust to continually changing
risks, endure disruptions to its primary earnings drivers,
and create advantages over less adaptive competitors.
A resilient organization establishes transparency and
puts in place controls for CEOs and boards to address
Randy Starr
(starr_randy@bah.com) is a
principal in Booz Allen
Hamiltons New York office. He
specializes in combining busi-
ness and technology strategy
with market insights to imple-
ment growth strategies and
new business models.
Jim Newfrock
(newfrock_jim@bah.com) is a
senior director and treasurer
with Booz Allen Hamilton in
New Jersey. He is responsible
for global risk management at
the firm and specializes in the
interplay of business strategy
and enterprise risk.
Michael Delurey
(delurey_mike@bah.com) is a
principal with Booz Allen
Hamilton in Virginia. He spe-
cializes in strategic planning,
policy analysis, and policy
development for government
clients with a focus on com-
plex network analysis and crit-
ical infrastructure protection.
risks across the extended enterprise. It can withstand
improper or fraudulent employee behavior, IT infra-
structure failures, disruptions of interdependent supply
chains or customer channels, intellectual property theft,
adverse economic conditions across markets, and the
myriad other discontinuities companies face today.
Establishing greater resilience is especially necessary
in the current economic and security environment,
which poses a new set of challenges to executives and
boards. The openness and complexity of todays extend-
ed enterprise increases the firms dependence on a glob-
al financial, operational, and trade infrastructure.
Although that provides for greater efficiency and effec-
tiveness, it also exposes most companies to risks that
were unfamiliar during the era of national markets and
the vertically integrated enterprise and compounds
the effect of conventional business risks.
Whats more, the legal and regulatory landscape has
undergone significant change since the September 11,
2001, terrorist attacks and the accounting and gover-
nance scandals in the United States, raising the level of
diligence stakeholders expect from senior executives,
boards of directors, and board audit committees in
ensuring the safety and continuity of the enterprise.
The July 2002 United States National Strategy for
Homeland Security recommends that industry sectors
and corresponding government agencies responsible for
critical infrastructure protection develop national infra-
structure assurance plans that bridge the public and
private sectors. The Sarbanes-Oxley Act of 2002
has tightened boards of directors audit committee
responsibilities, imposed new CEO and CFO certifica-
tion requirements, and raised the standard of care obli-
gations on management dramatically. The Basel II
Accord commits financial-services institutions to set
aside larger capital reserves against possible future oper-
ational disruptions.
Guided by these and other requirements, under-
writers of risk, such as insurance, equity, and debt mar-
kets, will more aggressively distinguish between those
businesses that are resilient and those that are not. To
maintain earnings consistency and preserve and grow
shareholder value, chief executives and board members
need the capacity to sense and respond effectively to
increasingly complicated levels of risk risks that can-
not necessarily be transferred through conventional
means, such as insurance.
Interdependence Risk
Our emphasis on the importance of earnings consisten-
cy matches that of the capital markets. A companys fate
is determined by its ability to generate a reliable pattern
of earnings growth. Companies that reduce earnings
volatility and lower the probability of large losses are
rewarded by financial markets with less expensive and
better access to capital. Whats more, markets place
consistency premiums on the stock valuations of com-
panies that both promise and produce a steady pattern
of increasing profits.
The business activities that enable the firm to gain
a competitive advantage and sustain growth vary across
both industries and companies. For some, manufactur-
ing facilities represent the core earnings driver; for oth-
ers, IT networks, customer support operations, supply
chains, intellectual property, or a combination thereof
power earnings. Traditionally, risks have not been per-
ceived in the context of key earnings drivers, but rather
in broad categories, each of which was managed in a
functionally isolated way. Thus, financial risk became
the province of the CFO, operations risk the responsi-
bility of the COO, and network security the task of the
CIO. Rarely do they or their business continuity or
security programs link together in support of strategic
objectives.
Senior executives have understandably renewed
their attention to conventional risk mitigation pro-
grams. Seventy-five percent of Fortune 1000 CEOs sur-
veyed by RoperASW on behalf of Booz Allen Hamilton
in late 2001 expressed increased concern about such
day-to-day activities as mail processing, travel, protec-
tion of employees, and protection of infrastructure. But
by defining risk and security narrowly as the protection
of personnel, plant, data, and financial position, CEOs
and boards overlook the more prevalent perils they face
conducting business in a networked global economy.
Networks are one of the great advances in industri-
al organization. Over the course of the last half century,
the vertically integrated company has given way to the
networked enterprise, an organizational structure char-
acterized by greater agility and adaptability. Successful
firms today must deal with intertwined layers of infor-
mation, raw materials, analytical data, customer com-
munication and service, and network infrastructure
at unprecedented speed while maintaining countless
secure relationships with third-party organizations, such
as suppliers, technology outsourcers, and government
regulators. The diversity of networks in business and
the economy is mind-boggling, writes Albert-Lszl
Barabsi, the physicist and author of Linked: The New
Science of Networks (Perseus Publishing, 2002). There
are policy networks, ownership networks, collaboration
networks, organizational networks, network marketing
you name it.
Diagnose Your Enterprise Resilience:
Eight Fundamental Questions
Are the complexity of the extended enterprise and
major earnings drivers across it transparent?
Are interdependencies understood and interdepend-
ence risks identified?
What programs are in place to ensure the viability of
earnings drivers?
Are these programs fully aligned with corporate
strategy and objectives, and do we understand the
trade-offs within these programs?
Do we know what we spend on resilience?
How good is our situational awareness that is, do
we have enough business intelligence, internal and
external, and is it directed to the appropriate parties?
Do we distill such intelligence properly and in a time-
ly enough fashion to react to it?
Who is accountable for resilience, and how do we
make decisions and measure progress?
1
2
3
4
5
6
7
8
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
5
s
t
r
a
t
e
g
y
+
b
u
s
i
n
e
s
s
i
s
s
u
e
3
0
Yet while the organizational and economic impact
of networks is well known, their vulnerabilities remain
largely unexplored by businesses. The reliance on open
borders, transnational alliances, and global markets for
capital, goods, and services has generated a just in time
economy, which, although remarkably cost-efficient,
leaves companies open to a range of discontinuities that
can affect operations, reputation, customer habits, legal
standing, regulatory compliance, earnings performance,
and ultimately shareholder value. We call these new vul-
nerabilities, collectively, interdependence risk, and
define it as unanticipated risk exposure across the
extended enterprise that is beyond an individual organi-
zations direct control. Examples of interdependence risk
include supply chain disruption, government interven-
tion, and public infrastructure destruction.
The scale and impact of a disruptive event is a func-
tion of the relative importance of the dislocated entity
and the degree of its integration into a broader extend-
ed enterprise. A problem that appears localized could
ripple across an extended enterprise, an industry sector,
or even a national or multinational economy. The capac-
ity to withstand such disruptions is a function of a firms
systemic resilience its ability to understand its inter-
dependencies, and to foresee and plan around disconti-
nuities that can occur within them.
Interdependencies have grown not only within the
private sector. Governments and industries are increas-
ingly dependent on each other at a level of intricacy not
seen in the United States, at least since World War
II. The National Strategy for Homeland Security calls
for the development of protection plans in 14 critical
infrastructure sectors (such as energy, telecommunica-
tions, defense industrial base, and banking and finance);
although private industry overwhelmingly owns and
operates these sectors, government and business must
collaborate to develop and implement the assurance
plans. One current publicprivate sector partnership
model is the National Security Telecommunications
Advisory Committee (NSTAC), which supports the
Office of the President in addressing telecommunica-
tions issues vital to U.S. national security and emergency
preparedness needs. The stakes in such collaboration can
be enormous. A war game, cosponsored by Booz Allen
with the Council for Excellence in Government in
December 2001, and designed to model the effects of an
intentional release of pneumonic plague in multiple
metropolitan locations, found that casualties would be
dramatically reduced by cross-sector knowledge-sharing
mechanisms.
Interdependence risk within the private sector or
across the public and private spheres underlies many
recent reports of operating loss. Consider what hap-
pened in September 2002 when a labor dispute shut
down West Coast ports for several weeks. As critical sup-
ply chains stopped functioning normally, severely con-
straining manufacturing and product replenishment,
U.S. companies lost an estimated $1 billion per day. The
events highlighted the interdependencies among ship-
ping companies, supply chainintensive industries, con-
tract logistics providers, and government agencies.
ER vs. ERM
Risk management models have not kept pace with the
shift from centralized to networked organizations. In
military terminology, most enterprise risk management
(ERM) programs rely on point solutions, which
attempt to moderate risks by hardening potentially
vulnerable spots against attacks, a futile exercise in a net-
worked enterprise. An organization cannot simultane-
ously harden all the nodes within its network; threats
will just migrate from a hardened node to more vulner-
able points. Military strategy has long since adapted to
this new understanding. In the early 1990s, when the
U.S. Department of Defense recognized that its war-
Exhibit 1: Companies Are Not Prepared to
Recover from Major Disruptions
More than 75% of respondents say a major disruption to their
top earnings driver would either cause sustained damage to
their firms earnings or threaten its continuity of operations.
Fewer than 25% of respondents believe their current risk
management efforts sufficiently address key areas of
contingency planning.
More than 33% of respondents say their companys
senior management lacks a thorough understanding of the
impact a major disruption would have on their company and
the firms level of preparation for a major disruption.
Many senior executives still fail to recognize risk
management as a priority.
Improved communication among key stakeholders about
risks and contingency planning is needed.
Source: Protecting Value Study, 2002. A survey of 199 financial executives and risk
managers at Fortune 1000 firms in a variety of industries, sponsored by FM Global,
the National Association of Corporate Treasurers, and Sherbrooke Partners.
www.protectingvalue.com
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
6
fighting doctrine of information superiority increased
its dependence on networked communications systems,
it transitioned from the traditional risk management
technique of hardening every node to a defense in
depth model, which uses a layered approach to security.
Directors and senior managers, many of whom are
faced with analogous challenges, have not followed suit.
In a recent survey of Fortune 1000 CFOs, treasurers,
and risk managers by the National Association of
Corporate Treasurers and other organizations, three-
quarters of respondents agreed that a major disruption
to their top earnings driver would either cause sustained
damage to their companys earnings or threaten business
continuity. Yet fewer than one-quarter of respondents
said their current risk management efforts sufficiently
anticipate a wide variety of potential large-loss events.
(See Exhibit 1.)
In pursuing strategic objectives, boards and CEOs
must factor into their decision making the trade-offs
involved in selecting one risk alternative over another.
Conventional ERM programs certainly help focus exec-
utives and directors on the nature of specific vulnerabil-
ities, and they can provide partial frameworks to help
firms protect potentially weak links from low-probabili-
ty catastrophic risks. But they do not fully prepare com-
panies for the discontinuities that can jeopardize earn-
ings drivers. Conventional enterprise risk management
fails to account for interdependencies across vertical and
horizontal corporate operations and thus tends to
underestimate the range and severity of risks faced by
the firm. Such network discontinuities can accumulate
exponentially and often spiral out of control, subjecting
a company to levels of loss without modern precedent. So
Barings Bank learned when the actions of a single trad-
er in Singapore destroyed the centuries-old institution.
In sharp contrast to traditional ERM, enterprise
resilience planning advances a companys speed and flex-
ibility by crafting an integrated first line of defense and
an offensive strategy to guard the entire extended enter-
prise against new, unavoidable risks that are the by-
products of interdependent operations. ER results from
a planned series of safeguards against discontinuities
encompassing everything from logistics, inventory con-
trol, and distribution channels to relations with govern-
ment agencies, customers, and suppliers. Unlike enter-
prise risk management programs, which tend to focus
only on how major categories of corporate risk interact
at a tactical level, ER planning better aligns risk man-
agement activity and spending with the most funda-
mental components of corporate strategy and perform-
ance: corporate growth and profit drivers, earnings con-
sistency, and shareholder value. Resilient organizations
are sensing, agile, networked, and prepared. They think
ahead to even the most outrageous possibilities, training
themselves, as the Harvard Business Review put it, how
to survive before the fact. (See Diagnose Your
Enterprise Resilience: Eight Fundamental Questions,
page 4.)
ER planning begins with the identification of the
greatest risks across the enterprise, including interdepen-
dencies, and then generates a targeted program, inte-
grated with overall corporate strategy, for mitigating
these risks. ER is a continuous process that creates the
ability to adjust readily to new risks and opportunities,
based on the strategic priorities and operational tempo
of the business. It enables executives and managers to
make educated trade-off decisions when they develop a
risk mitigation strategy, balancing the costs and benefits
Network discontinuities accumulate
exponentially and often spiral out
of control, subjecting companies to
levels of loss without precedent.
War-Gaming and Resilience Planning
Frequently conducted in conjunction
with an enterprise resilience audit,
war-gaming is an effective tool for
understanding a companys or an
industrys resilience posture. These
strategic simulations use mock crises
to gauge how well executives and staff
are prepared to face serious business
discontinuities.
The most effective war games occur
over two days and involve a series of
crisis simulations in which critical
components of a companys or an
industrys resilience are tested with
players from different, yet related,
stakeholder groups. Through a real-
time simulation with one group
making a move, and others respond-
ing, action by action vulnerabilities
can be exposed and mitigation strate-
gies developed.
For example, Booz Allen Hamilton
and the Conference Board sponsored
a port security war game in October
2002, just after West Coast ports in the
U.S. were shut by a labor action.
Participants included representatives
from government agencies, supply
chainintensive industries, and con-
tract logistics providers. The war
game simulated an unanticipated clo-
sure of shipping ports after several
dirty bombs were found in contain-
ers shipped to U.S. ports. The exercise
found that companies reliant on the
ports would likely have to sacrifice
just-in-time efficiency to some
degree, and replace it with a more
robust just-in-case supply pipeline.
With such insights, companies can
attempt to find the necessary balance
between just-in-time production and
just-in-case resilience, and to answer
crucial questions: What would be the
effect on earnings if we stockpiled
three weeks of supply? Are there
innovative ways to create these
reserves besides paying for them out-
right? What loss would insurance
cover? What are the projected costs of
alternative shipping versus stock-
piling? How well do we understand
whom to call and what to do during
such an event? How prepared are we
to communicate mediation steps?
War-gamings greatest value is that
it exposes ideas that participants
dont realize they have and uncovers
solutions that are not apparent.
Additionally, war-gaming forces
organizations to think differently, to
examine the validity of their assump-
tions about systemic risks. For exam-
ple, the port security war game uncov-
ered the critical fact that companies
must consider security a strategic and
necessary element of global trade
resilience. Another insight was that
local and national publicprivate part-
nerships are essential to finding an
effective global port security solution.
When war games include participants
from interdependent companies or
involve a mix of private-sector and
public-sector players, consensus can
be forged on the need for collective
action, and the action plan itself can
take shape. R.S., J.N., and M.D.
s
t
r
a
t
e
g
y
+
b
u
s
i
n
e
s
s
i
s
s
u
e
3
0
to meet overall risk management targets and improve
earnings consistency.
There are three essential steps to becoming a
resilient enterprise:
Diagnose enterprise-wide risk and interdependencies.
A company must first define its extended enterprise and
determine its earnings drivers. Once this is achieved, a
transparent and consolidated view of risks across the
extended enterprise can be developed, helping execu-
tives to understand the companys network interdepen-
dencies. After the enterprise is mapped, a baseline view
of risk mitigation plans and spending can be developed
to identify gaps and prioritize risk mitigation objectives.
The resilience diagnostic should yield quick-hit oppor-
tunities associated with critical risks that management
must address in the near term.
Adapt corporate strategy and operating model. The
enterprise should use cost-benefit analysis that links
cross-functional risk mitigation planning to corporate
strategy. Equally important, the CEO and board must
adopt a common risk management and resiliency vocab-
ulary that is comprehensible and intuitive to all,
enabling executives and directors to understand a com-
panys risk exposure and to make trade-off decisions in
implementing risk mitigation strategies while pursuing
strategic objectives.
Endure increased risk and complexity. This step
involves developing an organizational structure that
oversees and integrates business intelligence and risk
monitoring for the extended enterprise; has the analyti-
cal tools and support capabilities to improve decision
making and responses to risk as it changes; can measure
risk mitigation with clearly defined benchmarks; can
monitor the organizations resilience profile; and can
implement best-practice risk mitigation solutions. The
resilient organization, through an enhanced sensing
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
7
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
8
capability, integrates business intelligence to improve sit-
uational awareness.
The ER Audit
As an initial step to building enterprise resilience, com-
panies can apply a comprehensive, three-phase ER audit
procedure that can aid senior management teams in
developing integrated risk mitigation programs ground-
ed in a companys real needs and built around its actual
earnings drivers.
Step One: Enterprise Topology and Earnings-Driver
Classification. In the diagnostics first stage, the firm
should identify its key earnings drivers and their associ-
ated risks. (See Exhibit 2.)
This should be done by mapping the extended
enterprise and drawing a consolidated and transparent
picture of how the company organizes systems, process-
es, and relationships inside and outside its walls to
generate revenue and profits. The company must distin-
guish the earnings drivers themselves; the business
processes, capabilities, and technologies that support
them; and their vulnerabilities. To accomplish this,
interviews are held with corporate decision makers and
key management staff in all functional domains.
Relationships among customers, partners, and suppliers
are explored; IT network safeguards inventoried; and
assets charted.
Step Two: Resilience Profiling and Baselining. After
plotting the earnings drivers, the firm should use mod-
eling tools and best practices in enterprise design to
produce initial snapshots of an enterprises resilience
profile for each essential aspect of a company: financial,
operations, technology, personnel, and security. Then
the companys existing profile should be compared with
an optimal level of resilience a to be state in each
of these operations.
The firms current risk mitigation plans, procedures,
and costs, including business continuity and security
programs, are examined in this phase. The intent is to
determine how the current programs and the spending
on them align with the earnings drivers identified in
phase one. Both explicit and implicit risk mitigation
spending must be baselined. Such spending includes
costs associated with known security, business continu-
ity, and disaster recovery programs, as well as costs asso-
ciated with security, continuity, and recovery that are
buried in budgets for departments or functions, such as
IT or marketing. War-gaming is a particularly useful
exercise in doing such advanced resilience profiling. (See
War-Gaming and Resilience Planning, page 7.)
A vital part of this phase is the development of an
interdependency map to identify interdependence
risks across the extended enterprise hazards to earn-
ings drivers that may result from unanticipated regula-
tory action, changes in supplier relationships, problems
at clients, or other externalities. The baselining exercise
also seeks to understand how market trends and corpo-
rate strategies will influence earnings drivers in the
future. For example, a consumer goods manufacturer
might discover that the business unit managing logistics
between the factory and retailers for the companys flag-
ship Product A is unaware of a new distribution chain
developed by the team overseeing up-and-coming
Product B. These redundant distribution channels could
leave the manufacturer vulnerable because the delivery
of two critical products would be interrupted simultane-
ously if the supply chain network sustained a disruption.
Such profiling and baselining helps identify gaps
between existing risk mitigation programs and identifi-
able needs, allowing management to visualize at a glance
weaknesses and strengths in the firms current risk expo-
sure and resilience posture. This impact analysis can
identify areas for new investment and disinvestment.
For example, a major retailer with state-of-the-art just-
in-time inventory systems that require continual data
inflows to determine how to stock shelves could be
financially crippled if a disruption were to temporarily
shut down its network grid.
By contrast, even the largest advertising agency
could get by without too much damage if it lost its com-
puters for a day or longer. However, an ad agency must
protect the safety of its key personnel because its human
assets are its most significant earnings driver.
s
t
r
a
t
e
g
y
+
b
u
s
i
n
e
s
s
i
s
s
u
e
3
0
Consequently, during the diagnostics analysis stage, the
to-be resilience state for the retailer would establish that
the safeguarding of technology infrastructure is its high-
est target for investment, and personnel security is a
lower investment target; the ad agency might have the
opposite resilience profile. This rating does not imply
that the retailer has a lower regard for personnel safety;
it simply recognizes that the retailers investments need
to be focused on the technology infrastructure because
that infrastructure is one of its primary earnings drivers.
Step Three: Resilience Strategy. The final phase of
an enterprise resilience audit aims to develop a new
resilience program based on the analyses of the firms
earnings-related risk mitigation needs. The most critical
gaps between existing risk management programs and
the to-be profile are isolated. After the financial com-
mitment needed to close these gaps is determined, a
cost-benefit analysis helps rationalize investment needs,
finding the optimal balance among components of the
risk mitigation effort.
Exhibit 3: Corporate Strategy and Risk Integration
Factors earnings-driver risks
Adapts to new risks environments
Extended enterprise view
Factors risk interdependencies
Transparency
Insight
Accountability
Decision making
Execution
Measurement
Boards of Directors
and CEOs
Corporate
Strategy
Risk
Strategy
Enterprise Resilience
Exhibit 2: Determining Earnings-Driver Priorities: A Service Company Example
Superb delivery
and execution
Compliance
(regulatory and
client confidentiality)
Market position/distinctiveness
of offering
Maintenance of client
relationships
Intellectual property
Sales effectiveness
Ability to attract,
develop, and retain
top staff
Global footprint
Infrastructure protection
Priority Earnings Drivers
Capacity management
Research and
development
Market conditions
Immediate: Life-Threatening
L
o
w
H
i
g
h
Longer-Term: More Insidious
Immediacy of Impact on Earnings Drivers
D
e
g
r
e
e

o
f

C
o
n
t
r
o
l
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
9
c
o
n
t
e
n
t
m
a
n
a
g
e
m
e
n
t
10
The cost assessment examines business resilience
from three perspectives: people, operations (process and
technology), and interdependencies. As an example, an
established meat products company might learn that,
overall, it has well-protected supply and distribution
networks, moderate operations risk thanks to mature
crisis and disaster management plans, but weak person-
nel security because its hiring and management proce-
dures at international subsidiaries are inadequate. On
the basis of this evaluation, the company could decide to
reduce resources earmarked for disaster management and
network oversight and redirect them to improve its
recruitment, training, and inspection practices. Other-
wise, it increases the risk that a devastating incident will
occur (e.g., poor inspection practices could allow tainted
meat to reach consumers and cause them to become ill).
After setting the gap-closing priorities and develop-
ing the full risk mitigation strategy, the executive team
should agree on a migration path and gain the boards
agreement on a timetable for the institution of near-term
and longer-term resilience goals. Over time, enhanced
business intelligence and information sharing should be
developed to promote greater situational awareness.
Risk Is Reality
We believe that companies need to adopt a more inte-
grated approach to risk management one that links
business strategy to enterprise resilience and business
continuity planning. Using diagnostic tools, war-
gaming, and decision-support capabilities, companies
can establish a more effective, continuous, and consis-
tent methodology for protecting the enterprise from
internal and external risks.
The establishment of enterprise resilience should
involve not only those routinely responsible for risk
management and security, such as the CFO, CIO, and
chief security officer, but also the CEO, the business
unit general managers, the board of directors, and the
boards audit committee. With their collaboration, a
new risk management approach can be developed to
provide a steady stream of information to the organiza-
tions top decision makers about the vulnerability of
earnings drivers. (See Exhibit 3.) Done this way, ER
planning will improve corporate governance and
enhance decision making within a company.
Businesses have always faced risks, but recent events
have provided dramatic evidence that, in todays econo-
my, risk is reality. Not all risks can be anticipated, but
they can be managed, by senior executives, boards, and
stakeholders working together to create a resilient enter-
prise. Stakeholder expectations are higher than ever, and
enterprises that are more resilient will experience more
rewards from increased customer and partner loyalty
to the realization of premiums for improved earnings
consistency. + Reprint No. 03107
Shareholder expectations are higher than
ever. Resilient companies will reap rewards,
from increased partner and customer
loyalty to improved earnings consistency.
Resources
Mark Gerencser and DeAnne Aguirre, Security Grounds the CEO
Agenda, s+b, Second Quarter 2002;
www.strategy-business.com/press/article/?art=313296&pg=0
Ralph W. Shrader and Mike McConnell, Security and Strategy in the
Age of Discontinuity: A Management Framework for the Post-9/11
World, s+b, First Quarter 2002;
www.strategy-business.com/press/article/?art=228408&pg=0
Diane L. Coutu, How Resilience Works, Harvard Business Review,
May 2002; www.hbsp.harvard.edu
Gary Fields, An Ominous War Game, Wall Street Journal, December 4,
2002
Booz Allen Hamilton has been at the forefront of management consulting for businesses and governments for more
than 80 years. Booz Allen combines strategy with technology and insight with action, working with clients to deliver
results today that endure tomorrow.
With over 11,000 employees on six continents, the firm generates annual sales of $2 billion. Booz Allen provides
services in strategy, organization, operations, systems, and technology to the worlds leading corporations,
government and other public agencies, emerging growth companies, and institutions.
To learn more about the firm, visit the Booz Allen Web site at www.boozallen.com. To learn more about the
best ideas in business, visit www.strategy-business.com, the Web site for strategy+business, a quarterly journal
sponsored by Booz Allen.
Booz Allen Global Assurance Campaign
Our nation is profoundly dependent on the critical infrastructures that are predominantly owned and operated by
the private sector. Government and business leaders have an obligation to create new public-private partnerships
to protect our economy and our industries. Resilient organizations align their strategy, operations, management
systems, and decision support capabilities to enable them to uncover, adapt to, and improve their responsiveness
to disruptionsfor the government, the issue is mission; for industry, the issue is earnings consistency. As this war
game showed, together, government and industry can enhance the resilience of global trade. The Global Assurance
Team provides enterprise resilience services to businesses, and homeland security consulting services to the U.S.
federal and local governments.
What Booz Allen Brings
Mark Gerencser is a Senior Vice President of Booz
Allen Hamilton, specializing in helping clients achieve
enterprise resilience to gain a competitive advantage,
maintain business continuity, and protect and increase
shareholder value. In his 20 years with the frm, he
has worked with the Department of Defense, the
U.S. intelligence community, and such private sector
industries as health care, aerospace and defense,
high technology, and media. He can be reached
at gerencser_mark@bah.com.
Jim Weinberg is a Senior Vice President of Booz Allen
Hamilton in our Chicago offce and assists companies
in step-change improvement in operations performance
through implementing new operating models and
technologies. Mr. Weinberg is a co-leader of Booz Allen
Hamiltons Enterprise Resilience practice which is
forging new frameworks for managing risk in todays
dynamic and network-centric business environment. He
can be reached at weinberg_jim@bah.com.
Abu Dhabi
Charles El-Hage
971-2-6-270882
Amsterdam
Peter Mensing
31-20-504-1900
Atlanta
Joe Garner Joe Garner
404-659-3600
Bangkok
Tim Jackson Tim Jackson
66-2-653-2255
Beirut
Charles El-Hage
961-1-336433
Berlin
Rene Perillieux
49-30-88705-0
Bogot
Jaime Maldonado Jaime Maldonado
57-1-313-0202
Boston
John Harris John Harris
617-428-4400
Brisbane
Tim Jackson Tim Jackson
61-7-3230-6400
Buenos Aires
Alejandro Stengel
54-1-14-131-0400
Caracas
Jos Gregorio Baquero
58-212-285-3522
Chicago
Gary Ahlquist
312-346-1900
Cleveland
Les Moeller
216-696-1900
Colorado Springs
Glen Bruels
719-597-8005
Copenhagen
Kenny Palmberg
45-3393-36-73
Dallas
Tim Blansett
214-746-6500
Dsseldorf
Thomas Kuenstner
49-211-38900
Frankfurt
Rainer Bernnat
49-69-97167-0
Gteborg
Bengt Johannesson
46-31-725-93-00
Helsinki
Kari Iloranta
358-9-61-54-600
Hong Kong
Reg Boudinot
852-2634-1878
Houston
Joe Quoyeser
713-650-4100
Jakarta
Ian Buchanan
6221-577-0077
Lexington Park
Neil Gillespie
301-862-3110
London
Peter Bertone
44-20-7393-3333
Los Angeles
Tom Hansson
310-297-2100
Madrid
Mercedes Mostajo
34-91-5220606
Malm
Ingemar Bengtson
46-40-690-31-00
McLean
Martin J. Bollinger
703-902-3800
Melbourne
Tim Jackson
61-3-9221-1900
Mexico City
Alonso Martinez
52-55-9178-4200
Miami
Alonso Martinez
305-670-8050
Milan
Enrico Strada
390-2-72-50-91
Munich
Richard Hauser
49-89-54525-0
New York
David Knott
212-697-1900
Oslo
Haakon Bjertnaes
47-23-11-39-00
Paris
Panos Cavoulacos
33-1-44-34-3131
Philadelphia
Molly Finn
267-330-7900
Rio de Janeiro
Paolo Pigorini
55-21-2237-8400
Rome
Fernando Napolitano
39-06-69-20-73-1
San Diego
Foster Rich
619-725-6500
San Francisco
Bruce Pasternack
415-391-1900
Santiago
Alejandro Stengel
562-445-5100
So Paulo
Letcia Costa
55-11-5501-6200
Seoul
Jong Chang
82-2-2170-7500
Stockholm
Kenny Palmberg
46-8-506-190-00
Sydney
Tim Jackson
61-2-9321-1900
Tampa
Joe Garner
813-281-4900
Tokyo
Eric Spiegel
81-3-3436-8600
Vienna
Helmut Meier
43-1-518-22-900
Warsaw
Reg Boudinot
48-22-630-6301
Wellington
Tim Jackson
64-4-915-7777
Zurich
Jens Schedler
41-1-20-64-05-0
2003 Booz Allen Hamilton Inc.
Worldwide Offices